While you struggle to figure out whether your significant other would rather have jewelry, chocolate, flowers, or all of the above, Microsoft has an entirely different view on what to give for Valentine’s Day. Although we’re nearly half way through the month, it just so happens that today is the second Tuesday of February--and that means it’s Patch Tuesday.
As predicted in its Patch Tuesday preview last week, Microsoft released a total of nine new security bulletins today. Four of them are rated as Critical, and the remaining five are Important. I got some input from security experts to help you understand which updates are most urgent, and enable you to prioritize your patch management resources accordingly.
Andrew Storms, director of security operations for nCircle, doesn’t appreciate the show of love from Microsoft. He laments the lack of candy hearts, and stresses that users should pay particular attention to the Internet Explorer update—which applies to all versions of IE this month. “Typically, we expect newer versions of IE to be a little safer but that’s not the case this month.”
Storms also calls MS12-013 a Microsoft “nasty-gram”. He says that the only known attack vector right now is Microsoft’s Windows Media Player, but that the patch should be applied as soon as possible because it will most likely be a popular target for attackers.
Tyler Reguly, technical manager of security research and development at nCircle and a peer of Storms, has a slightly more “glass half full” perception of Patch Tuesday. “It's Valentine's Day and Microsoft knew exactly how to speak to my heart--they fixed some cross-site scripting issues related to SharePoint. This is definitely the best gift a web-oriented security researcher could ask for.”
Kurt Baumgartner, a senior security researcher for Kaspersky, says that the GDI access violation vulnerability patched by MS12-008 has been known about for a while now, and there is speculation that it could be remotely exploitable. However, Baumgartner is skeptical. “With the manner in which it was distributed, if it was truly exploitable, it is highly likely that something would have turned up by now.”
Rapid7 security researcher Marcus Carey has some general-purpose advice that applies to this month’s Patch Tuesday, but also transcends the monthly patching cycle. He points out that Web browser and media player exploits will continue to be a serious issue, and that organizations should employ policies and processes that minimize the risk.
Carey explains, “The problem with browser and media player compromises is that the end user is unaware that they have been compromised, which can lead to the kind of long term breaches we see reported in the news these days.”
VMware’s Jason Miller wants to also make sure you don’t forget that Microsoft is not the only game in town. “Adobe released two new security bulletins today affecting two Adobe products. Security bulletin APSB12-02 affects Adobe Shockwave and fixes nine vulnerabilities. Adobe Security bulletin APSB12-04 affects Adobe RoboHelp for Word and fixes one vulnerability.”
Microsoft, all of the security researchers and vendors represented here, and I all recommend that you apply all appropriate patches as soon as possible. Consumers and small businesses should just rely on Automatic Updates in Windows to apply the patches while they sleep, but larger organizations need to determine which updates represent the greatest risk, and prioritize resources to apply the updates as quickly as possible.
Happy Valentine’s Day!